I've defined a Blade section called title, which I use like, for example, @section('title', 'Log in'), which will then get printed as <h1>Log in</h1>. However on some pages the title will be determined by user input (namely $subject). I've found that if I do @section('title', $subject->name) then this value will not be escaped which leaves my site open to XSS attacks. How can I avoid this?
In Laravel you can use the e helper function to escape values. You should be able to do something like this:
@section('title', e($subject->name))
If you take a look in the BladeCompiler code, you can see that Laravel itself converts the default escaped output ({{ }}) into e(..)